STORY ARCHIVE

Cyber Attack

TRANSCRIPT

NARRATIONA blackout hits major cities. Streets flood. Trains grind to a halt. Banks lose data simultaneously. A large-scale strategic attack is executed within minutes over the internet. It sounds far-fetched, but the US is taking the threat of a cyber 9/11 very seriously.

President Barack ObamaNow our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air-traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and economy.

NARRATIONSecurity experts say the threat of a cyber terror attack in Australia is just as real, and escalating.

Phil KernickEverything is interconnected in a way that it never has been. So, every traffic light, every building security system.

Dr Ernest FooIt's very possible to bring down a whole city. I think it's definitely a possibility. Hackers can do this.

Anja TaylorJust about every critical service you can think of runs off the same basic control system that dates back to the '60s. It's called 'SCADA'.

NARRATIONSCADA allows industrial processes to be monitored and controlled over long distances. Motors, pumps and sensors gather information from the utility and send it back via servers to a central network of computers. SCADA systems weren't designed with security in mind, and certainly not cyber security. But now more and more are being connected to the internet.

Phil KernickThere are really good reasons for wanting to be able to get remote access to a control system. Something needs monitoring, you want to be able to do it from a convenient location.

Dr Ernest FooThat's where the vulnerability comes in. It means that somebody else can step into their shoes.

NARRATIONTo show how easily and quickly a SCADA system can be hijacked, Ernest Foo and his team at the Queensland University of Technology have built a miniature water facility.

Dr Ernest FooWe've got two reservoirs – and we've got a lower reservoir and a pump connecting it to an upper reservoir.

Anja TaylorSo we're moving water from that reservoir to that reservoir.

Dr Ernest FooYeah.

Anja TaylorSo this is basically what you'd see at a normal water facility?

Dr Ernest FooYeah, yeah, it would.

NARRATIONOnce the system is hacked into, which is relatively easy to do, taking over the controls takes a couple of minutes.

Dr Ernest FooWe know that a particular register controls the pump.

Anja TaylorYep.

Dr Ernest FooAnd we're flooding it with a value of zero, which will turn off the pump.

Anja TaylorPump's off.

Dr Ernest FooPump's off. Just like that.

Anja TaylorSo is it that simple to hack into a larger-scale version of this kind of a utility?

Dr Ernest FooYep. The messages that we're sending from the laptop to our facility are the same kinds of messages sent to all critical infrastructure.

Anja TaylorScary.

Dr Ernest FooVery scary.

NARRATIONErnest has been looking at SCADA systems common in mining, gas pipelines and other critical infrastructure and finds similar flaws.

Dr Ernest FooWhat we found is that it's really easy to attack these systems. None of the messages are authenticated, so there's no way for the system to realise that the legitimate operator is sending the command or a hacker is sending the command.

NARRATIONWhat is escalating concern over critical infrastructure is a shift in who's doing the hacking. Increasingly, cyber attacks are political motivated, well funded and targeted.

Phil KernickSo it's gone from individuals with an individual cause to groups with a group cause and a lot of money behind them. And I think that's a real concern, because that's a real change, and I don't think businesses are ready for this level of change.

Anja TaylorAlthough it's never been officially admitted, it's thought that the US was behind one of the most successful real-world sabotages of a critical SCADA control system. In 2010, Stuxnet made the world sit up and take notice.

NARRATIONUnwittingly introduced by a worker at Iran's nuclear enrichment plant, the Stuxnet worm created new variants of itself, each one causing centrifuges to spin too fast or too slowly and in some cases explode.

Lionel SmythYeah, well, I guess Stuxnet was a wake-up call for all sorts of critical infrastructure. Cos, it was the first time people had tried to physically damage something rather than just maliciously cause grief.

NARRATIONTransGrid operates the main electricity infrastructure across New South Wales. It's hard to overestimate the chaos that would ensue if you could knock out these big babies in a cyber attack.

Lionel SmythIf you knocked all the transformers out, the economic consequences would be massive - you're talking about no power for the trains, no power for the lifts in the high-rise buildings, no power for the traffic lights. A massive impact.

Anja TaylorAnd how possible is that, to knock out one of these transformers, or all of them, through a cyber attack?

Lionel SmythTo knock out all of them, virtually impossible. Because the transformers aren't connected to the internet in any way. They have self-protecting devices within them, which makes sure, if there's a problem with the transformer, it takes itself out of service.

NARRATIONTo control anything on this grid, you need to get through three levels of physical security and take a police-checked seat in here.

Anja TaylorSo you can't access any of this system online?

Lionel SmythNo. There's no connection between the SCADA and the internet.

NARRATIONEven if you got in here, there's little way of introducing a bug into the system.

Lionel SmythThere's no USB ports that are connected to anything, there's no CD drives, there's no other spots where you can plug something in.

NARRATIONBut hackers don't make a habit of using the front door.

Dr Ernest FooHackers usually can break into control systems through a corporate network which has been connected to the control system. Corporate networks usually have web servers and web pages that are open to the internet. It means anyone can come in.

Lionel SmythIt's definitely an area we have to treat very carefully. We have an arrangement set up where information is exported from the SCADA system and then is collected in another part of the corporate-data network. There's no connection that allows you to get into the SCADA.

Phil KernickEvery time we've evaluated one, we've found we've been able to break through from the corporate network to the control network. No matter what they've done, we've always found a way through.

Alastair MacGibbonThere is no such thing as a secure system, there's just varying degrees of insecurity.

NARRATIONThe power grid seems fairly well covered, but many other critical SCADA systems are online and vulnerable. A quick internet search reveals numerous possible targets. So why has there only been a handful of successful attacks on SCADA systems worldwide?

Phil KernickNo-one wants to start a war. If you really do something ludicrously overtly, then you are just asking for someone to respond in a physical way. So we do it all sneaky. We do it all in the back door.

NARRATIONAn attack on the electrical grid is not the only way to sap a nation of its power.

Anja TaylorSteal the secrets that make a country wealthy, and you slowly bleed it dry while hardly anyone notices.

NARRATIONIt was from this nondescript building in Shanghai that attacks were launched on over 140 major US businesses. Computer-security company Mandiant even recorded screen grabs as China's cyber army stole hundreds of terabytes of intellectual property. The US claims China is behind the biggest transfer of wealth in history.

Alastair MacGibbonThere's no doubt that any significant IP possessed by Australian universities, research institutes or corporations is under constant attack, by probably foreign governments more than anyone, who have a strong interest in transferring that IP to their own nation.

NARRATIONEstablishing the real impact of these types of attacks is impossible when most go unreported.

Alastair MacGibbonI think we need legislation to compel government and corporates to actually come clean, to say what has happened. Industry self-regulation in this regard hasn't worked.

NARRATIONBut it can be hard to come clean when you're unaware of being hacked in the first place.

Phil KernickWe've certainly seen situations where we've been called in to talk to businesses who have been penetrated for months and months, and only detected it by accident. We look at security as being three things - prevention, detection and response. Businesses have historically spent a lot on prevention. They spend a lot of time and effort building firewalls and protection mechanisms they're absolutely certain will work. But if they were attacked, would they know?

NARRATIONTo be adequately prepared, businesses need a greater focus on intruder-detection systems and isolating or repairing any damage that occurs.

Dr Ernest FooNew protocols need to be designed, and also the actual devices themselves have to be designed to be cyber-secure.

Alastair MacGibbonIt's fair to say that if you're a determined nation-state or a determined criminal group, that you can own systems. There's no doubt. The biggest question is how long you own them for and how much damage you do when you're inside those systems.

Related Info

YOUR COMMENTS

Comments for this story are closed. No new comments can be added.

Geoff Rhodes - 14 Jun 2013 10:43:36pm

As the immediate past Chair of the ITSEAG I am both encouraged and disappointed by this program. The issue of vulnerability was acknowledged 10 years ago. The response has been throttled by departmental infighting and a lack of understanding on how to effectively engage with the commercial operators who manage those key facilities. The opperators are keenly aware of their responsibility to deliver safe and continuing services. I wonder if the government agencies and vocal academics are truely aware of the subbtle covert exploits which are far more damaging economicaly. Are they using well know sensational but low risk overt threats which the program focussed on rather to advance there own cause (economic advantage) rather than addressing the more concerning issue of covert and effective infiltration of the information systems that underpin our economy. An interesting conundrum

Dad - 14 Jun 2013 4:49:07pm

"SCADA systems weren't designed with security in mind, and certainly not cyber security. But now more and more are being connected to the internet."

There's your problem right there. These systems should never have been connected to the internet in any way. Convenience for lazy, clueless managers, combined with supposed cost savings is the reason this has been allowed to happen.

As for the US banking system and online services, it is 20 years behind the rest of the world.

Steve - 14 Jun 2013 12:30:06pm

First thing that comes to mind is Die Hard 4. The risk is there (not arguing that) but might all this be overly hyped?

Rod Hughes - 13 Jun 2013 9:31:17pm

There is more and more "internet type technology" going into substations every day. It is a very old assumption, and incorrect, that there is no internet connection to the devices that monitor, control and protect transformers, generators and the circuit breakers. There are many instances even of technicians connecting their 3G laptops into the substation LANs, or using their Smartphones/tablets to control the equipment. The fact that information is transferred from the SCADA system to the Corporate system (which is internet connected) means that there is connectivity to the SCADA system.However there is a lot of work going into working out how to build in the right systems for cyber security - we have a long way to go yet!